Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Volkswagen Cars Open To Remote Hacking, Researchers Warn

Vulnerable in-vehicle infotainment systems have left some Volkswagen cars open to remote hacking, researchers warn.

UPDATE – Over the last few years, automakers like Ford, Jeep, Nissan and Toyota have all suffered car-hacking vulnerabilities in their vehicles. Now, it looks like Volkswagen has been pulled into the mix after researchers discovered that in-vehicle infotainment (IVI) systems in certain Volkswagen-manufactured cars could be remotely hacked.

Not only that, but it’s possible to pivot to more critical systems.

The vulnerability was discovered in the Volkswagen Golf GTE and an Audi3 Sportback e-tron, which were both manufactured in 2015. Computest researchers Daan Keuper and Thijs Alkemade, who discovered the flaw, said that under certain conditions the IVI vulnerability could enable attackers to commandeer the on-board microphone to listen in on the conversations of the driver, turn the microphone on and off, and access the system’s complete address book and the conversation history. There is also a possibility of hackers tracking the car through the navigation system at any given time, they said.

A Volkswagen spokesperson told Threatpost that the vehicles impacted are those produced with Discover Pro infotainment systems – Golf GTE and Audi A3 e-tron.

“We have been in contact with Computest since mid-2017,” the spokesperson told Threatpost. “The bug fix – in other words eliminating the vulnerability – had already taken place in early May 2016.”

The spokesperson stressed that “from what is currently known, it is impossible for [attackers] to manipulate the brakes, steering or vehicle access systems.”

The researchers said they were able to leverage an undisclosed vulnerability in Harman-manufactured modular infotainment (MIB) platforms in the affected car models to access the IVI system remotely via Wi-Fi. Then, they exploited an exposed port to gain access to the management software of the system: “We can remotely compromise the MIB IVI system and from there send arbitrary CAN [control area networks] messages on the IVI CAN bus,” they said in a report. “As a result, we can control the central screen, speakers and microphone. This is a level of access that no attacker should be able to achieve.”

Beyond an Annoyance Hack

The researchers initially found they could use the vulnerability to read arbitrary files from disk, but quickly found that they could expand their possibilities into full remote-code execution.

The access didn’t stop there: Through the vulnerability, Computest researchers also found that they could access the IVI system’s multimedia applications unit (MMX) main processor, which is responsible for tasks like screen compositing and multimedia decoding. From there, they were able to control the radio and car control unit (RCC).

“The next step would be to send arbitrary CAN messages over the bus to see if we can reach any safety critical components,” said the report.

However, sending an arbitrary CAN message to the CAN bus would involve hacking a chip that is directly connected to a gateway, and is used to firewall messages between different CAN buses. At this point, Computest researchers said that they decided to drop their research, as it would require extracting the firmware from the chip using a physical vector.

“After careful consideration we decided to discontinue our research at this point, since this would potentially compromise intellectual property of the manufacturer and potentially break the law,” Computest researchers said.

Not Fixable OTA

Computest brought its research to Volkswagen in the summer of 2017. Keuper said that in April 2018, Volkswagen provided Computest with a letter confirming the vulnerabilities, and stating that they have been fixed in a software update to the infotainment system – meaning that cars produced since the update will not be impacted by the vulnerabilities.

Despite the fact that Volkswagen has fixed cars currently being produced, the Computest researchers stressed that they would not disclose further details about the vulnerability because the updates are not able to be made over-the-air (OTA); as a result, affected car owners have to to meet with their dealers for a fix.

“The system we investigated can also not be updated by the end user itself, a user needs to go to an official dealer to receive an update,” Keuper told Threatpost in an email. “However, based on our experience, it seems that cars which have been produced before are not automatically updated when being serviced at a dealer, thus are still vulnerable to the described attack.”

In an ideal world, instead of having to proactively request an update themselves at the dealer, consumers should get the updates pushed automatically OTA, similar to a smartphone, said Keuper.

“This is also the key point in our research: these are all problems we can fix in the car of tomorrow, for example by enabling OTA updates,” he said. “But what about the cars that are sold today? They will be around for the next 15 to 18 years and will most likely never receive security updates.”

Car security issues – and how manufacturers respond to them – were put on the forefront after researchers Charlie Miller and Chris Valasek famously remotely hacked a 2014 Jeep Cherokee to control the braking, steering and acceleration of the vehicle in 2015. Since then, the attack surface for many vehicles has only expanded as infotainment systems and other Wi-Fi-enabled capabilities have become increasingly popular in cars.

For now, owners of impacted vehicles need to make sure they explicitly ask for security updates, Keuper told Threatpost. Meanwhile, manufacturers can also adopt security measures to tighten security, such as including third-party components as part of quality and security assurance measures.

Discussion

There are a few things that I will never own.
1. Alexa because I really don't need Amazon listing to everything I say
2. Internet-connected car since I don't trust the security of such things and I'd rather not have the vendor, the insurance company, the telephone company... know my every move.

Once again, a not as advertised 'critical hack'.
If they are using WiFi that means the car is running or the key is in the Run/On position. Also, if they are using Wifi, they would need to be relatively close to the car. They would also need a system to determine which car they are hacking. In a lab this sounds cool, but in real life, this isn't going to accomplish much.
Additionally, the only thing they accomplished, at most, was recording audio and potentially getting contacts off of the navigation unit.
They were not able to compromise any actual systems and 'gave up' because they knew it wasn't going to be possible to get farther due to the gateway between infotainment and the rest of the car.
I get that they did successfully 'hack something', but can we please stop the fear mongering-ish posts making it seem like "yet another" car was fully compromised?

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.